I’m waiting to see if Ron or any other PMC members wanted to review this before I close the vote and continue with the release. -- Matt Sicker
> On Dec 29, 2021, at 11:42, Matt Sicker <boa...@gmail.com> wrote: > > My +1 > -- > Matt Sicker > >> On Dec 29, 2021, at 10:35, Carter Kozak <cko...@ckozak.net >> <mailto:cko...@ckozak.net>> wrote: >> >> +1 >> >> $ mvn -version >> Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537) >> Maven home: /opt/homebrew/Cellar/maven/3.8.4/libexec >> Java version: 1.8.0_312, vendor: Azul Systems, Inc., runtime: >> /Users/ckozak/.tools/jdk/zulu8.58.0.13-ca-jdk8.0.312-macosx_aarch64/zulu-8.jdk/Contents/Home/jre >> Default locale: en_US, platform encoding: UTF-8 >> OS name: "mac os x", version: "12.1", arch: "aarch64", family: "mac" >> >> build/tests/rat look good >> >> -ck >> >> On Tue, Dec 28, 2021, at 20:59, Matt Sicker wrote: >>> This is a vote to release Log4j 2.3.2, a security release for Java 6 users. >>> >>> Please download, test, and cast your votes on the log4j developers list. >>> [] +1, release the artifacts >>> [] -1, don't release because… >>> >>> The vote will remain open for as short amount as time as required to vet >>> the release. All votes are welcome and we encourage everyone to test the >>> release, but only Logging PMC votes are “officially” counted. As always, at >>> least 3 +1 votes and more positive than negative votes are required. >>> >>> Changes in this version include: >>> >>> Fixed Bugs >>> >>> Fixed Bugs: >>> o LOG4J2-3293: JDBC Appender should use JNDI Manager and JNDI access >>> should be limited. >>> Backport fix for CVE-2021-44832. >>> o LOG4J2-2819: Add support for specifying an SSL configuration for >>> SmtpAppender. >>> Backport fix for CVE-2020-9488 to allow SSL/TLS hostname >>> verification. >>> >>> Tag: >>> a) for a new copy do "git clone >>> https://github.com/apache/logging-log4j2.git >>> <https://github.com/apache/logging-log4j2.git> >>> <https://github.com/apache/logging-log4j2.git >>> <https://github.com/apache/logging-log4j2.git>>" and then "git checkout >>> tags/log4j-2.3.2-rc1” or just "git clone -b log4j-2.3.2-rc1 >>> https://github.com/apache/logging-log4j2.git >>> <https://github.com/apache/logging-log4j2.git> >>> <https://github.com/apache/logging-log4j2.git >>> <https://github.com/apache/logging-log4j2.git>>" >>> b) for an existing working copy to “git pull” and then “git checkout >>> tags/log4j-2.3.2-rc1” >>> >>> Web Site: [none published yet; need someone to stage a generated site] >>> >>> Maven Artifacts: >>> https://repository.apache.org/content/repositories/orgapachelogging-1081/ >>> <https://repository.apache.org/content/repositories/orgapachelogging-1081/> >>> >>> Distribution archives: >>> https://dist.apache.org/repos/dist/dev/logging/log4j/ >>> <https://dist.apache.org/repos/dist/dev/logging/log4j/> >>> <https://dist.apache.org/repos/dist/dev/logging/log4j/ >>> <https://dist.apache.org/repos/dist/dev/logging/log4j/>> >>> >>> You may download all the Maven artifacts by executing: >>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate >>> https://repository.apache.org/content/repositories/orgapachelogging-1081/org/apache/logging/log4j/ >>> >>> <https://repository.apache.org/content/repositories/orgapachelogging-1081/org/apache/logging/log4j/> >>> >>> -- >>> Matt Sicker >